Adding user access level into process login?
Question
Is there anyway that I'll be able to add user access level through this process code? I have my register code, which will allow normal user to register. I will set the admin only through PHPMyAdmin. How can I define admin user access level with this process page?
CODE: login_process.php
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if (login($email, $password, $mysqli) == true) {
// Login success
header('Location: ./protected_page.php');
} else {
// Login failed
header('Location: ./index.php?error=1');
}
}
else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
Code: Login function
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
Example Code:
if (login($username="admin_username") {
// Login admin success
header('Location: ./protected_page.php');
} else (login($email, $password, $mysqli) == true){
// Login success
header('Location: ./user.php');
}
} else {
// Login failed
header('Location: ./index.php?error=1');
}
1 answers
solution1
0 2014-08-08 03:41:58
Well, it depends on how you are storing the data in your database but if your user table has columns : user_name, password, user_type.
when you check if user_name and the password match on your login function you could do :
SELECT user_name, password, user_type FROM users WHERE user_name = '".$email."' AND password = '".$password"'";
Then you check the number of returned rows, if 0 is returned then the credentials don't match, you don't log the user in. If they match, then you can use the user_level to redirect where you want.
If you can post your login function I could explain you showing the changes to do into the code.
edit : adding fixed functions after he posted he login function.
Login validation :
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if (login($email, $password, $mysqli) == true) {
// Login success
//Redirecting to admin protected page for instance
if( isset($_session['user_type']) and $_session['user_type'] == 'admin' )
header('Location: ./protected_page.php');
else {
//redirect to normal logged user
header('Location: ./normal_user_logged.php');
}
} else {
// Login failed
header('Location: ./index.php?error=1');
}
}
else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
Login function :
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, user_type
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt, $user_type);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
$_SESSION['user_type'] = $user_type;
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
PHP Login with Access user Level
Redirecting user after login depending on their level of access (usergroup)
Login - User Level
ajax + php login with access level
problem with different level of user login
Multi level user login and session
PHP Login with differerent user level
PHP multiple user level login page
PDO login - add user level to session
Magento can't login in admin and user level
Related Tags